How Private Is Your Public Cloud? Stacking Up Google, Microsoft And AWS Data Privacy
The battle over data privacy isn't being fought on the mobile phone or in the data center, it's being fought in the cloud.
2016 has brought concerns over data privacy to an all-time high, driven in large part by a drawn-out debate early in the year between Apple and the FBI over an encrypted iPhone, new regulations brought forth in Europe, and lingering concerns about the National Security Agency and government access to personal information exposed by Edward Snowden.
"Without question, it's the No. 1 concern with moving to the cloud," said JD Sherry, vice president of cloud security at Denver-based solution provider Optiv Security.
That barrier is a key concern for companies' bottom line, as the shift to the cloud is expected to drive $1 trillion in direct or indirect spending over the next five years, according to research firm Gartner. Similarly, research firm IDC predicts that more than half of IT infrastructure spending will be in the cloud by 2020.
[Q&A: 'Future Crimes' Author On How To Keep Customer Data Private In The Public Cloud]
Allen Falcon, CEO of Westborough, Mass.-based solution provider Cumulus Global, said security or privacy comes up in every discussion he has with customers about migrating to the cloud, sometimes brought up by the customers themselves, sometimes by Cumulus Global.
Customer concerns about privacy and security are getting easier to overcome with education, but "not fast enough," he said.
Those concerns extend all the way up to the largest of enterprise customers, according to Charles Radi, vice president and principal cloud architect at Cloud Technology Partners, a Boston-based cloud solution provider serving the enterprise market.
"We're dealing with [privacy] issues for pretty much every single customer," Radi said. "It's a topic that always comes up." Radi said Cloud Technology Partners' enterprise customers have particular concerns around government access, privacy regulations, and transitioning security tools from on-premise to the cloud.
Driving a lot of that concern is confusion, said Vic Winkler, independent security consultant and author of "Securing The Cloud."
"It's very difficult to have a well-thought-out perspective on these topics in cybersecurity today because it's a confusing soup of disinformation and different points of view," Winkler said in an interview with CRN. "Cloud service providers are really being challenged in terms of how they ameliorate these concerns in customers in order to grow their businesses. And, they have to if they want to grow their business."
But how well-founded are those concerns when it comes to data privacy in the public cloud? If you ask the major cloud providers themselves, they say: not very.
"This is your data. This is not our data. As a general matter of principle, we design our systems and our processes to make sure that data is treated as yours and not as ours," said Neal Suggs, vice president and deputy general counsel at Microsoft, Redmond, Wash. "Microsoft runs on trust."
Suggs said data usage, control and privacy together make up one of the four pillars on which Microsoft has built its cloud strategy, along with data security, compliance and transparency. Those pillars extend from the design of the company's systems, the processes in place, encryption technologies, an audit process and a culture that "respects that customer-generated content is the customers' content and not our right to use without our customers' consent."
Jennifer Lin, director of product management for cloud security and networking for Google Cloud Platform, echoed that sentiment, saying security and data privacy is one of the top three priorities that comes up when customers consider moving to the cloud. As a result, she said it is "increasingly becoming a major differentiator for how [Google is] thinking about things."
"User data is user data, and we want to make sure we protect users' data. … We have to earn their trust. We have to show them that we do not access customer data. I think we've been very clear on that not only with our public-facing website, but also in how we define migration to the cloud," Lin said.
Amazon Web Services did not make an executive available to be interviewed for this story.
Terms Of Service: Agree Or Disagree?
The issue of privacy plays out primarily in the privacy policies and Terms of Service agreements customers have with cloud providers, said Marc Goodman, global security adviser, futurist and author of "Future Crimes." Those Terms of Service vary greatly from provider to provider, he said, particularly if a business is using a free service versus a paid version.
Paid versions of cloud solutions by Google, Microsoft, Amazon Web Services and other big companies tend to make it "very clear" that the user owns the data, not the cloud provider. That is not true for free cloud services, such as Google's Gmail and Google Drive, he said.
"If you're not paying for it, you're not the customer, you're the product," Goodman said. "Businesses large and small need to look at the so-called free services they're using and the Terms of Service. … ’I have read and agreed to the Terms of Service' is the biggest lie on the internet," Goodman said.
For example, in Google's Data Processing Amendment, which outlines the Mountain View, Calif.-based company's policies for data stored through its Google Apps services, including Google For Work solutions sold by solution providers, the company specifies it will not use customer data for any purpose outside the instructions provided by the customer, including for advertising purposes.
Microsoft and Seattle-based Amazon Web Services have similar language in their own privacy policies and Terms of Service agreements, which were reviewed by CRN.
This contrasts starkly with Google's Privacy Policy for consumer Google Accounts, for example, in which the company says it collects information about services use, device-specific information and location information for a variety of reasons, including improving services, developing new ones, and offering users "more relevant search results and ads."
Does that mean businesses using paid services are scot-free when it comes public cloud privacy and security concerns? Not at all.
While a customer might have fully vetted its cloud provider, the reality is "there are companies who are using the cloud that know it, and there are companies who are using the cloud and don't know it," Goodman said.
A primary example of that is employees who circumnavigate company-sanctioned solutions and instead use personal—often free—cloud services that are easier to provision, said Goodman.
According to Gartner, 95 percent of cloud security failures will end up being the customer's fault by 2020. Many will fail to uphold their end of the shared responsibility model of cloud security, where the customer itself is responsible for securing the data and the cloud provider is responsible for securing the infrastructure.
"Your data could be stored in your employees' cloud without you even knowing it. … Even though you're using Box or AWS—great companies with great Terms of Service—now your employees have taken your confidential quarterly reports, your customer leads, the [intellectual property] of the product you're about to bring to market, and stored it in a cloud provider who, by your employees storing it, has been granted all kinds of rights and access," Goodman said.
For solution providers, this is a real-life concern. Cumulus Global's Falcon, for one, said he has seen countless examples of this with his own customers, including companies that lost data or realized after the fact that they were in breach of compliance regulations. For example, one client's employee was using a personal version of a file-sharing service. When the employee left the company, the customer then had no access to its corporate data, which the employee had stored on his personal cloud account, Falcon said.
Another client's employee was using the consumer version of Dropbox, which had recently been hit by a data breach. The employee was using the same password for both his Dropbox account and his work email. Falcon said a hacker then used that password to log on to the corporate email account to send email malware to all of the employee's contacts.
In yet another example, one client had an employee using a personal file-sharing service that was shared with members of her family on the same account. The employee's children deleted all sorts of sensitive company documents. These incidents are just a few examples of many, Falcon said.
"Our advice to clients is don't use the free service if there is a business-class option, and they shouldn't use the consumer service, whether or not it is free," Falcon said.
As a solution provider, Falcon said it is his job to give customers the best information and recommendations possible to help them make decisions around data privacy. That includes assessing business requirements, information access, policies, regulatory requirements, ongoing monitoring and management, and more, he said.
Most businesses choose to follow Cumulus Global's recommendations around data privacy, according to Falcon. However, he has encountered some customers that would rather risk data privacy by using free consumer-grade services than pay for business-class services. Cumulus Global has walked away from customers who refuse to invest in solutions with sound data privacy standards, especially when it involves regulatory concerns, he said.
"It can create a liability. Our view is your business should be worth enough for you to pay for the business-grade tools," Falcon said.
Public Fights, Private Information
Privacy tensions between the public and private sectors, in particular, were front and center this year, starting with a very public fight between Apple and the FBI over the privacy of an encrypted iPhone used by a terrorist involved in the San Bernardino shooting last year. The FBI ultimately hacked into the iPhone rather than continuing to pursue legal options to compel Apple to unlock the device.
More recently, Microsoft in June scored a key victory related to government access to customer emails stored in data centers outside the U.S. In the case, which Microsoft won in a 3-0 decision in the 2nd U.S. Circuit Court of Appeals in Manhattan, Microsoft challenged a warrant seeking emails stored on one of the company's servers in Dublin, Ireland, saying it would set a dangerous precedent for law enforcement to gain access to American emails stored abroad.
Optiv's Sherry called the privacy ruling a "huge win for cloud computing," saying government access to public cloud information is a "big challenge" that acts as a speed bump for clients contemplating a move to the cloud. That is especially true for global clients, he said.
Microsoft, in particular, has taken a strong stand on cloud privacy issues. In April, the company filed a lawsuit against the U.S. Department of Justice, suing for the right to tell its customers when the government wants access to their data.
Those concerns are very real, with Microsoft reporting it has received 5,624 federal warrants in the past 18 months, 2,576 coming with gag orders.
In its most recent Transparency Report, Google said it received 12,523 requests for data from July to December 2015 in the U.S., producing the data in 79 percent of cases.
Amazon said it received 813 subpoenas, 25 search warrants, 13 court orders and between zero and 249 national security requests for data between January and May 31, 2015.
In the April lawsuit, Microsoft said it is taking a strong stand on the issue because privacy concerns about unannounced government access to data in the cloud "undermine confidence in the privacy of the cloud and have impaired Microsoft's right to be transparent with its customers." At the heart of the issue is customer trust that Microsoft will remain a "steward" of data, rather than the owner of it, Microsoft's Suggs said. Microsoft
will continue to fight for transparency around government access to customer data in the cloud, as trust is key to the viability of its business model, he said, comparing it to the trust customers have in banks that their money will be both safe and available when needed.
"We believe at the core of our mission is that sense of trust, and if we can't gain that trust we can't grow our business. That's the focus for us," Suggs said.
All three major cloud vendors have specific language in their privacy policies addressing government access and professing they will only allow it when legally necessary and will work to notify customers of the request as soon as possible, unless legally prohibited from doing so.
This issue of blind subpoenas of data in the public cloud is the "biggest concern" by enterprise customers, Cloud Technology Partners' Radi said. He said his customers' legal departments work to build specific language into cloud provider contracts to protect them from blind subpoenas of data. Solution providers can help put certain controls in place to prevent the cloud provider from being able to access the data, he said. For example, Cloud Technology Partners recommends encrypting all data in the cloud and managing the encryption keys on-premise, instead of with the cloud provider.
Governments are also taking a more significant role in starting to regulate data privacy in the cloud. The European Union recently rolled out the General Data Protection Regulation, which updates standards around how data is protected and shared between countries. The regulations state that companies must inform individuals about why their data is being collected and provide a way to get access to their data. It also prevents data from being kept permanently and requires a data protection officer for large amounts of data. Cloud providers are also subject to these regulations, which take effect in May 2018.
Privacy Challenges Open The Door To Opportunity For Partners
With confusion comes opportunity, especially when it comes to navigating data privacy and regulatory concerns around the cloud, Doug Cahill, senior analyst covering cloud security at the Enterprise Strategy Group, said. Companies are increasingly more aware that they have a problem when it comes to data privacy, but don't know how to start solving it, a factor Cahill called the "cloud security readiness gap."
"I think companies are fairly self-aware that there is a problem, and this is why it's a great opportunity for the channel," Cahill said. "Partners who have the ability to help customers do that can then strategically help customers incorporate security from the beginning on their journey to the cloud."
Solution providers are in a prime position to provide that guidance, he said. "That's a role best served by partners that understand that world, that understand both the compliance business of data protection security but also are indexed on cloud technologies," he said.
That's important because companies are already looking to fast-track their adoption of the cloud, Cloud Technology Partners' Radi said. Businesses are starting to move large amounts of customer data, confidential data and personally identifiable information data to the cloud, he said. It's up to solution providers to help them do so in a way that meets their security and privacy needs, he said.
Providing user education and training are also key roles partners have to play, author Goodman said. That will prove especially important in turning concern and awareness into action, he said.
"People don't even know the questions to ask their outsourced IT folks so people need to get much more sophisticated about that. … Training is key at the board level, it is key at the C-suite level and it is key for all of your employees," he said.
Sherry agreed, saying that solution providers like Optiv play a key "trusted adviser" role as companies look to navigate their journey to the cloud, standing "shoulder to shoulder with them" through design, consulting, vendor partnerships and advanced cloud security capabilities.
That position as a trusted adviser is critical, Sherry said, as he predicts cloud will grow with "seismic activity" over the next six to 18 months. Where companies are still lagging, he said, is around security and data privacy.
"Ultimately, we're trying to encourage our clients to trust us as the trusted security adviser with that journey to the cloud," Sherry said.